CSRF - Cross site request forgery
CSRF is an attack technique that attempts to circumvent a defensive technique that is marked by CSRF tokens.
Say you are a website builder and you are creating a new website. You create the profile section which allows you to update your address. Now along comes a bad actor. They analyse the request and are able to forge it. They create their own website and they put a button on there which will call the profile section of your website and which will update the address.
This means that the attacker can update my address from his website. This may seem pretty innocent but what if instead we replace the functionality with a bank? What if the attacker can send money from the current active account to his account? That would change the matter entirely.
To prevent this, you as a website builder have several options. One of them is implementing a CSRF token. This token is an extra parameter for your request and is generated on the server and visible to the browser but only via your website. As an attacker, there is no way to gain access to this token without using some illicit tactics (which we will dig deeper into later). If the attacker wants to make the same request, he is missing the CSRF token parameter which will not complete the request and return an error. Hack successfully blocked... or is it?
Though the idea of CSRF tokens is very solid, It's easy to mess up the implementation. We as pentesters have several options to test for:
Yes, it is possible to automate this. We will be using the match and replace functions of burp.
Depending on if the CSRF token is in the HEADER or the BODY section of the request, we will need to pick one.